Note that if JAR files are cached it does not imply that they have been executed. The behavior seen in combination with JRE 1.7 in high security mode is that it will download the JAR file and then prompt the user if he/she want to execute the Java applet.

+

Note that if JAR files are cached it does not imply that they have been executed. The behavior seen with Microsoft Internet Explorer in combination with JRE 1.7 in high security mode is that it will download the JAR file and then prompt the user if he/she want to execute the Java applet.

Note: there also can be an additional SystemCache directory e.g. on Windows Vista and later for user accounts:

C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\SystemCache\

Note that if JAR files are cached it does not imply that they have been executed. The behavior seen with Microsoft Internet Explorer in combination with JRE 1.7 in high security mode is that it will download the JAR file and then prompt the user if he/she want to execute the Java applet.

IDX file format

Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systems. As such, the following information should not be considered to have been exhaustively researched.

The values present in the header are dependent on the version. The definition above is based on version 603 and intended as an example check the Java IDX Format Specification for more current information.

For the example above the size of the URL string can be found at offset 130 (0x82). The first 4 string values to extract from this data are prefaced with their lengths (or sizes) as 16-bit big-endian values. E.g. to retrieve the original URL string, read the WORD at offset 0x82, and translate it as a big-endian value (e.g. using Perl, unpack("n",$data)). Beginning at offset 0x84, the string is 57 (0x39) bytes long. At the end of that string, the next WORD is the length of the third string, also in big-endian format.

Once you've completed reading the initial 4 strings, there is a DWORD value which can be interpreted as the number of header values, followed by the individual header value definitions. Each header value definition consists of an identifier and a value string. Both strings are prefaced by a 16-bit big-endian (2-byte) value, containing the length of the string.

In many cases, the first header value contains the HTTP Response code of 302. Other header values (that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.